Your Kubernetes controller manager has been provided a cluster-cidr (i.e. by passing --cluster-cidr=192.168.0.0/16, which the manifest expects by default).

Note: If you are upgrading from Calico v2.1, the cluster-cidr selected for your controller manager should remain
unchanged from the v2.1 install (the v2.1 manifests default to 10.244.0.0/16).

Installation

This document describes three installation options for Calico using Kubernetes API as the datastore:

Calico policy with Calico networking (beta)

Calico policy-only with user-supplied networking

Calico policy-only with flannel networking

Ensure you have a cluster which meets the above requirements. There may be additional requirements based on the installation option you choose.

Note: There is currently no upgrade path to switch between different installation options. Therefore,
if you are upgrading from Calico v2.1, use the Calico policy-only with user-supplied networking installation instructions
to upgrade Calico policy-only which leaves the networking solution unchanged.

RBAC

Before you install Calico, if your Kubernetes cluster has RBAC enabled, you’ll need to create the following
RBAC roles to allow API access to Calico.

Apply the following manifest to create these necessary RBAC roles and bindings.

Note: The following RBAC policy is compatible with the Kubernetes v1.6+ manifests only.

Calico policy with Calico networking on kubeadm

The above manifests are compatible with kubeadm clusters initialized with a
pod-network-cidr matching the default pool of 192.168.0.0/16, as follows:

kubeadm init --pod-network-cidr=192.168.0.0/16

Configuring your BGP topology (optional)

Some users running at high scale or on-premise may want to update Calico’s BGP peering configuration using calicoctl. For example,
you may wish to turn off the full node-to-node mesh and configure a pair of redundant route reflectors.

2. Calico policy-only with user-supplied networking

If you run Calico in policy-only mode it is necessary to configure your network to route pod traffic based on pod
CIDR allocations, either through static routes, a Kubernetes cloud-provider integration, or flannel (self-installed).

To install Calico in policy-only mode, run one of the following commands based on your Kubernetes version:

How it works

Calico typically uses etcd to store information about Kubernetes Pods, Namespaces, and NetworkPolicies. This information
is populated to etcd by the Calico CNI plugin and policy controller, and is interpreted by Felix and BIRD to program the dataplane on
each host in the cluster.

The above manifest deploys Calico such that Felix uses the Kubernetes API directly to learn the required information to enforce policy,
removing Calico’s dependency on etcd and the need for the Calico kubernetes policy controller.

The Calico CNI plugin is still required to configure each pod’s virtual ethernet device and network namespace.